• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

Massive Uptick in Number of Attacks to the SIP Server/Call Manager

Status
Not open for further replies.

michaelholt

Joined
Oct 9, 2015
Messages
21
Reaction score
4
Starting about 2 weeks ago, we are getting up to 500 emails a day from the affected module: SIP Server/Call Manager with each auto blocking attempt from wildly different IP addresses making it impossible even using ranges to permanently block. Currently, auto blocking time interval is set at one day or 86,400 seconds.

Any ideas on how to block this?

I could easily block it at the firewall but we have users that need to have the 3CX app on their phone meaning I don't know what the IP address is to use port 5060.

I have done this: in the Settings / Security / Anti-Hacking / divide each values by two, except the blacklist time interval, and the security barrier (green).

Is there something 3CX could do if I create a ticket? At this point, I am pulling my hair out and I don't have too much of that left.

M
 
Mobile devices should be provisioned using the Tunnel port 5090.
Within the extension:
Screen Shot 2018-09-25 at 5.57.42 PM.png
Then send the user a new welcome email to reprovision.

Then block 5060 from all but remote offices connecting as STUN and provider IP's - on your Router.
 
I'll get on that. Thank you craigreilly.

Mobile devices should be provisioned using the Tunnel port 5090.
Within the extension:
View attachment 8651
Then send the user a new welcome email to reprovision.

Then block 5060 from all but remote offices connecting as STUN and provider IP's - on your Router.
 
  • Like
Reactions: craigreilly
Set the blacklist timeout to several days, then go in and permanently block them (or at least set the expiry date somewhere in the distant future).
 
Yes, we could set the timeout longer but for the most part, it isn't mattering as some are seemingly random being blocked for 4 seconds, others for 10 minutes. I know there is an explanation for this but I still don't understand why 3CX does this.

I have a blacklist consisting of a ton of single addresses along with address ranges. Because the attacks are now coming from very random IP addresses, manually blocking IPs is unfeasible if not totally impossible.

Set the blacklist timeout to several days, then go in and permanently block them (or at least set the expiry date somewhere in the distant future).
 
Use the firewall. Only allow port 5060 from your sip provider. Unless you are using Stun, you don’t need to allow it from anywhere else.
 
Hello there,
Just wanted to mention that we've also been monitoring these scans, their scale is indeed unprecedented but as long as your 3CX Phone Systems have defaults security settings (anti-hacking, random credentials everywhere, option disallow use outside LAN ticked unless having STUN, etc..) then they are secure and you shouldn't worry.

We've been actively reporting all these IP to their relevant ISP / hosting / VPN services as well.

In any case, as Craig mentioned, your best protection is to filter by firewall/ACL the SIP port and allow only trusted sources to reach it.

We are actually working on new security features against such events, I can't tell you more at the moment but there will be announcements later on through our blog.

Regarding the blocking duration being sometime short, it can happen when green/amber anti-hacking security barriers are passed (in number of packets received for a given source) but not the red one. So you could also decrease those thresholds values, although don't be too strict as you might end up blocking legitimate sources as well.
 
Please keep in mind that in most cases, defaults for the 3CX mobile client communicate over port 5090 (Tunnel) - as do remote locations using an SBC. The only access to port 5060 required is your SIP trunk provider and any remotely configured STUN devices.
 
I've seen a huge increase in blacklisted IPs in the past few days. Normally I get 5-10 emails a week at minimum that an IP was blacklisted, at which point I block them in the firewall and let it expire in the 3CX blacklist. However, the past few days I've been getting between 20 and 50 blacklisted IPs per day - always due to failed authentication.

I am considering blocking port 5060 from any IP except provider and STUN locations, but a few of our remote STUN phones have dynamic IP addresses so this would cause issues in the future.

I would suggest you increase the amount of time they are in the blacklist. Mine is at 2 weeks, but like I said I block them permanently at the firewall anyway. I'd suggest 31536000 seconds (1 year) or more to make sure none of these IPs are repeat offenders. Also, I decreased failed authentication to blacklist after 3 failed attempts, but that may be too low for some environments.
 
Unless you are using remote stun extensions, you should by default be locking down SIP ports 5060 on your firewall to your SIP provider.
This is one of our first steps on every install.
 
  • Like
Reactions: Matt Stephens
Status
Not open for further replies.

Getting Started - Admin

Latest Posts

Forum statistics

Threads
141,602
Messages
748,757
Members
144,715
Latest member
iTVerse
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.